@contrast/agent 4.8.0 → 4.9.0

package/lib/assess/sources/event-handler.js

@@ -0,0 +1,307 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const logger = require('../../core/logger')('contrast:assess.sources');
+const { PATCH_TYPES } = require('../../constants');
+const { CallContext, SourceEvent } = require('../models');
+const TraceEventSource = require('../../reporter/models/trace-event-source');
+const { AsyncStorage, KEYS } = require('../../core/async-storage');
+const TagRange = require('../models/tag-range');
+const patcher = require('../../hooks/patcher');
+const tracker = require('../../tracker');
+const parseurl = require('parseurl');
+
+const SOURCE_EVENT_MAX = 250;
+const trackedObjects = new WeakMap();
+
+class SourceEventHandler {
+  constructor({
+    config = {
+      agent: {
+        node: {
+          array_request_sampling: {
+            enable: true,
+            threshold: 50,
+            interval: 5
+          }
+        }
+      }
+    },
+    ensureReq = true,
+    exclusions,
+    stackOpts,
+    snapshot,
+    signature,
+    type = 'UNKNOWN'
+  } = {}) {
+    this.config = config;
+    this.exclusions = exclusions;
+    this.type = type;
+    this.snapshot = snapshot;
+    this.signature = signature;
+    this.stackOpts = stackOpts;
+    this.ensureReq = ensureReq;
+    this.samplingEnabled = config.agent.node.array_request_sampling.enable;
+    this.samplingThreshold = config.agent.node.array_request_sampling.threshold;
+    this.samplingInterval = this.samplingEnabled
+      ? config.agent.node.array_request_sampling.interval
+      : 1;
+
+    this.inputExclusions = [];
+    this.urlExclusions = [];
+    this.skipEvent = false;
+    this.sourceEventCount = 0;
+
+    this.init();
+  }
+
+  init() {
+    // values reused in functions
+    this.req = AsyncStorage.get(KEYS.REQ);
+
+    // NODE-1431: prevents crashing when req is not present in AsyncStorage.
+    if (!this.req) {
+      if (!this.ensureReq) return;
+
+      this.skipEvent = true;
+      logger.debug(
+        'failed to handle source event for type: %s; request not present in async storage',
+        this.type
+      );
+    }
+
+    if (!this.exclusions) return;
+
+    const { pathname } = parseurl(this.req);
+
+    this.inputExclusions = this.exclusions
+      .getInputExclusions('assess')
+      .reduce((acc, e) => {
+        if (!e.matchesUrl(pathname)) return acc;
+
+        // `isNamed` is false for exclusion types such as BODY and QUERYSTRING which
+        // apply to the entire set of params not only those by a specified name. Also
+        // is true if the input name is set to wildcard "*" meaning it should apply to
+        // all values. In each case there's no need to wrap if all rules are excluded.
+        if (!this.skipEvent && e.appliesToAllAssessRules() && !e.isNamed) {
+          logExclusionMessage(e, this.type);
+          this.skipEvent = true;
+        }
+
+        acc.push(e);
+        return acc;
+      }, []);
+
+    this.urlExclusions = this.exclusions
+      .getUrlExclusions('assess')
+      .reduce((acc, e) => {
+        if (!e.matchesUrl(pathname)) return acc;
+
+        if (!this.skipEvent && e.appliesToAllAssessRules()) {
+          logExclusionMessage(e, this.type);
+          this.skipEvent = true;
+        }
+
+        acc.push(e);
+        return acc;
+      }, []);
+  }
+
+  /**
+   *
+   * @param {object} param
+   * @param {object} param.obj usually the incoming message
+   * @param {string} param.prop obj[prop] is containing user-controlled data
+   */
+  handle({ obj, prop }) {
+    this.typeKey = prop;
+
+    if (this.skipEvent) return;
+
+    this.traverseAndTrack({ obj, key: prop });
+  }
+
+  // eslint-disable-next-line complexity
+  traverseAndTrack({ obj, key, path = [] }) {
+    const value = obj[key];
+
+    if (!value) return;
+
+    if (this.sourceEventCount > SOURCE_EVENT_MAX) {
+      logger.debug('max sources exceeded for %s', this.type);
+      return;
+    }
+
+    if (Array.isArray(value)) {
+      const limit = Math.min(value.length, this.samplingThreshold);
+
+      trackedObjects.set(value, { ...this, path, key });
+
+      for (let i = 0; i < limit; i += this.samplingInterval) {
+        this.traverseAndTrack({
+          obj: value,
+          key: i,
+          path: [...path, i]
+        });
+      }
+    } else if (Buffer.isBuffer(value)) {
+      this.sourceEventCount++;
+      patcher.patch(value, 'toString', {
+        name: 'Buffer.toString',
+        alwaysRun: true,
+        patchType: PATCH_TYPES.MISC,
+        post: (wrapCtx) => {
+          this.trackStringProp({
+            obj: wrapCtx,
+            key: 'result',
+            path
+          });
+        }
+      });
+    } else if (typeof value === 'string' || value instanceof String) {
+      this.sourceEventCount++;
+      this.trackStringProp({ obj, key, path });
+    } else if (typeof value === 'object') {
+      trackedObjects.set(value, { ...this, path, key });
+
+      for (const objKey of Object.keys(value)) {
+        this.traverseAndTrack({
+          obj: value,
+          path: [...path, objKey],
+          key: objKey
+        });
+      }
+    }
+  }
+
+  trackStringProp({ obj, key, path, value = obj[key] }) {
+    const trackData = tracker.track(value);
+    if (!trackData) {
+      return;
+    }
+
+    const name = path.join('.');
+    const { props, str: result } = trackData;
+
+    props.tagRanges = this.getTagRanges({ name, result });
+    props.event = new SourceEvent({
+      context: new CallContext({
+        obj: 'IncomingMessage {}',
+        args: [`${this.typeKey}.${name}`],
+        result,
+        stackOpts: this.stackOpts
+      }),
+      code: `req.${this.typeKey}.${name}`,
+      signature: this.signature,
+      tagRanges: props.tagRanges,
+      target: 'R',
+      type: this.type,
+      name
+    });
+
+    // NOTE: this used to happen on access in SourceMembrane.onString(), though we
+    // should be able to determine access of source value during dataflow - when a
+    // source is tracked into PROPAGATION or SINK event.
+    storeSource({ type: this.type, name: key });
+
+    obj[key] = result;
+  }
+
+  getTagRanges({ result, name }) {
+    const stop = result.length - 1;
+    const tagRanges = [new TagRange(0, stop, 'untrusted')];
+
+    const typeLowerCase = this.type.toLowerCase();
+    const nameLowerCase = name.toLocaleLowerCase();
+
+    if (typeLowerCase === 'header' && nameLowerCase !== 'referer') {
+      tagRanges.push(new TagRange(0, stop, 'header'));
+    }
+
+    if (typeLowerCase === 'cookie') {
+      tagRanges.push(new TagRange(0, stop, 'cookie'));
+    }
+
+    if (!this.inputExclusions.length) {
+      return tagRanges;
+    }
+
+    const rules = new Set();
+
+    /* 
+      Maybe it's pointless because we set skipEvent to true if appliesToAllAssessRules
+      and we won't get here
+    */
+    const exclusions = this.inputExclusions.filter(
+      (e) => !e.appliesToAllAssessRules()
+    );
+
+    for (const exclusion of exclusions) {
+      if (!exclusion.matches(name)) {
+        continue;
+      }
+
+      for (const ruleId of exclusion.assessmentRulesList) {
+        logger.debug(
+          'excluding %s %s value from %s (%s)',
+          this.type,
+          name,
+          ruleId,
+          exclusion.name
+        );
+
+        if (!rules.has(ruleId)) {
+          tagRanges.push(new TagRange(0, stop, `exclusion:${ruleId}`));
+        }
+
+        rules.add(ruleId);
+      }
+    }
+
+    return tagRanges;
+  }
+}
+
+function storeSource({ type, name }) {
+  let storedSources = AsyncStorage.get(KEYS.SOURCES);
+
+  if (!storedSources) {
+    // if this is the first source stored on the request, initialize a map
+    // and set the storedSources to be a reference to the new, empty map.
+    storedSources = new Map();
+    AsyncStorage.set(KEYS.SOURCES, storedSources);
+  }
+
+  // there are cases where AsyncStorage context is out of sync, add defensive code so we don't
+  // crash.
+  if (storedSources) {
+    // save event for route coverage (data pulled in for RouteInfo object)
+    // only want to save unique values
+    storedSources.set(`${type}-${name}`, new TraceEventSource({ type, name }));
+  }
+}
+
+function logExclusionMessage(exclusion, type) {
+  const { name } = exclusion;
+  logger.debug(
+    'excluding %s inputs from all assess rules (%s)',
+    type.toLowerCase(),
+    name
+  );
+}
+
+module.exports.SourceEventHandler = SourceEventHandler;
+module.exports.trackedObjects = trackedObjects;

package/lib/assess/sources/index.js

@@ -26,9 +26,12 @@ const parseurl = require('parseurl');
 const {
   EXCLUSION_INPUT_TYPES: { BODY, HEADER, PARAMETER, QUERYSTRING, COOKIE }
 } = require('../../constants');
+const { Signature } = require('../models');
 
 const sources = module.exports;
 
+const { SourceEventHandler } = require('./event-handler');
+
 /**
  * Registers sources for assess instrumentation
  */
@@ -60,19 +63,104 @@ sources.track = function(type, parent, key, membrane) {
  */
 sources.registerListeners = function({ config, exclusions }) {
   agentEmitter.on('assess.body', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, BODY, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(config, exclusions, BODY, obj, prop);
+    }
+
+    agentEmitter.emit('assess.source', {
+      config,
+      exclusions,
+      obj,
+      prop,
+      data: obj[prop],
+      type: BODY
+    });
   });
   agentEmitter.on('assess.headers', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, HEADER, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(config, exclusions, HEADER, obj, prop);
+    }
+
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      data: obj[prop],
+      type: HEADER
+    });
   });
   agentEmitter.on('assess.params', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, PARAMETER, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(
+        config,
+        exclusions,
+        PARAMETER,
+        obj,
+        prop
+      );
+    }
+
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      data: obj[prop],
+      type: PARAMETER
+    });
   });
   agentEmitter.on('assess.query', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, QUERYSTRING, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(
+        config,
+        exclusions,
+        QUERYSTRING,
+        obj,
+        prop
+      );
+    }
+
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      data: obj[prop],
+      type: QUERYSTRING
+    });
   });
+
   agentEmitter.on('assess.cookies', (obj, prop) => {
-    sources.handleSourceEvent(config, exclusions, COOKIE, obj, prop);
+    if (!config.agent.traverse_and_track) {
+      return sources.handleSourceEvent(config, exclusions, COOKIE, obj, prop);
+    }
+
+    agentEmitter.emit('assess.source', {
+      obj,
+      prop,
+      type: COOKIE
+    });
+  });
+
+  // might be helpful for clients to send add'l values in event arg
+  //   - stackOpts: elide frames from function ref in client instrumentation
+  //   - signature: rather than create shared one in the handler
+  //   - or stack snapshot function - could share among SourceEvents
+  //   - call context to share among SourceEvents
+  agentEmitter.on('assess.source', ({ obj, prop, type, signature }) => {
+    if (!signature) {
+      signature = new Signature({
+        moduleName: 'Object',
+        methodName: 'getter',
+        args: [prop],
+        return: 'String',
+        isModule: false
+      });
+    }
+
+    new SourceEventHandler({
+      config,
+      exclusions,
+      signature,
+      type,
+      stackOpts: undefined,
+      snapshot: undefined
+    }).handle({ obj, prop });
   });
 };
 

package/lib/assess/spdy/index.js

@@ -0,0 +1,23 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const AssessSinks = require('./sinks');
+
+module.exports = class SpdyInstrumentation {
+  constructor(agent) {
+    new AssessSinks(agent);
+  }
+};

package/lib/assess/spdy/sinks/index.js

@@ -0,0 +1,23 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const ReflectedXss = require('./xss');
+
+module.exports = class SpdySinks {
+  constructor(agent) {
+    new ReflectedXss(agent);
+  }
+};

package/lib/assess/spdy/sinks/xss.js

@@ -0,0 +1,84 @@
+/**
+Copyright: 2022 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const agentEmitter = require('../../../agent-emitter');
+const { HTTP_RESPONSE_HOOKED_METHOD_KEYS } = require('../../../constants');
+const policy = require('../../policy');
+const { Signature, CallContext } = require('../../models');
+
+class SpdyXss {
+  constructor(agent) {
+    this.common = require('../../sinks/common')(agent);
+    this.rules = policy.rules;
+    this.ruleId = 'reflected-xss';
+    this.signature = new Signature({
+      moduleName: 'spdy.response',
+      methodName: 'push',
+      isModule: false
+    });
+    agentEmitter.on(
+      HTTP_RESPONSE_HOOKED_METHOD_KEYS.PUSH,
+      this.checkResult.bind(this)
+    );
+  }
+
+  /**
+   * checks if an assess rule is enabled in policy
+   */
+  get enabled() {
+    return (
+      this.rules &&
+      this.rules['reflected-xss'] &&
+      this.rules['reflected-xss'].enabled
+    );
+  }
+
+  checkResult(body) {
+    if (!this.enabled) {
+      return;
+    }
+
+    const { ruleId, signature } = this;
+
+    const {
+      isVulnerable,
+      xss: { disallowedTags },
+      requiredTags,
+      report
+    } = this.common;
+
+    if (
+      isVulnerable({
+        input: body,
+        disallowedTags,
+        requiredTags,
+        ruleId
+      })
+    ) {
+      const ctxt = new CallContext({
+        obj: body,
+        args: [body],
+        result: body,
+        stackOpts: {
+          constructorOpt: agentEmitter.emit
+        }
+      });
+      report({ ruleId, signature, input: body, ctxt });
+    }
+  }
+}
+
+module.exports = SpdyXss;

package/lib/assess/technologies/index.js

@@ -31,7 +31,8 @@ const technologies = {
     'fastify',
     'restify',
     'loopback',
-    'kraken-js'
+    'kraken-js',
+    'sails'
   ],
   templating: ['jade', 'ejs', 'nunjucks', 'mustache', 'dust', 'handlebars'],
   loggers: ['winston', 'debug'],

package/lib/constants.js

@@ -644,7 +644,8 @@ const REQUIRED_SIGNATURE_KEYS = [
 
 const HTTP_RESPONSE_HOOKED_METHOD_KEYS = {
   WRITE_HEAD: Symbol('writeHead'),
-  END: Symbol('end')
+  END: Symbol('end'),
+  PUSH: Symbol('push')
 };
 
 const PATCH_TYPES = {

package/lib/contrast.js

@@ -178,7 +178,7 @@ contrastAgent.configureGlobalLogger = function(config, args, target = global) {
 
 function getAgentArgs(options) {
   const agentArgs = {};
-  options.options.forEach((opt) => {
+  program.options.forEach((opt) => {
     if (opt.name() !== 'application.args' && options[opt.name()]) {
       agentArgs[opt.name()] = options[opt.name()];
     }
@@ -243,8 +243,8 @@ contrastAgent.prepare = function(...args) {
 
     logger.info('Using config file at %s', config.configFile);
     // log the argv before and after modification.
-    logger.info(`Original argv: ${options.rawArgs.join(', ')}`);
-    logger.info(`Modified argv: ${options.args.join(', ')}`);
+    logger.info(`Original argv: ${program.rawArgs.join(', ')}`);
+    logger.info(`Modified argv: ${program.args.join(', ')}`);
 
     agent.config = config;
     agent.tsFeatureSet.config = config;
@@ -335,12 +335,12 @@ contrastAgent.init = async function(args, isCli = false) {
     // source: args passed to cli, destination: args after cli parsed it
     .action(async function callPrepare(options, commanderArgs = []) {
       // the user app main differs if a runner vs preload
-      script = isCli ? options.args[0] : options.rawArgs[1];
+      script = isCli ? program.args[0] : program.rawArgs[1];
       options.script = script;
       // need to slice off app main in runner mode
       options['application.args'] = isCli
-        ? options.args.slice(1)
-        : options.args;
+        ? program.args.slice(1)
+        : program.args;
 
       try {
         enabled = await contrastAgent.prepare(options, commanderArgs, isCli);

package/lib/core/arch-components/index.js

@@ -18,3 +18,4 @@ require('./sqlite3');
 require('./postgres');
 require('./dynamodb');
 require('./dynamodbv3');
+require('./rethinkdb');

package/lib/core/arch-components/mongodb.js

@@ -28,25 +28,29 @@ ModuleHook.resolve(
       patchType: PATCH_TYPES.ARCH_COMPONENT,
       alwaysRun: true,
       post(ctx) {
-        try {
-          const { servers = [] } = this.s.options;
-          if (servers.length === 0) {
-            logger.warn('Unable to find any MongoDB servers\n');
-          }
-          for (const server of servers) {
-            agentEmitter.emit('architectureComponent', {
-              vendor: 'MongoDB',
-              url: `mongodb://${server.host}`,
-              remoteHost: '',
-              remotePort: server.port
-            });
-          }
-        } catch (err) {
-          logger.warn(
-            'unable to report MongoDB architecture component\n%o',
-            err
-          );
+        if (!ctx.result || !ctx.result.then) {
+          return;
         }
+
+        // We should report only when connection is successful
+        ctx.result.then(function(client) {
+          try {
+            const { servers = [] } = ctx.obj.s && ctx.obj.s.options;
+            for (const server of servers) {
+              agentEmitter.emit('architectureComponent', {
+                vendor: 'MongoDB',
+                url: `mongodb://${server.host}:${server.port}`,
+                remoteHost: '',
+                remotePort: server.port
+              });
+            }
+          } catch (err) {
+            logger.warn(
+              'unable to report MongoDB architecture component\n%o',
+              err
+            );
+          }
+        });
       }
     });
   }